If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Trojan.webkit - how does it get in.

Hey guys,

While on my visit to a company outlet, I connected my laptop to their VLAN. No sooner then I connected the laptop to their network my AV started detecting trojan. I was trying to access google and I could see the status bar showing a redirect too - qwertyy.cx (dont visit). It tried to access a page on the URL that was being detected as the malware. I have a different AV from the one's on the endpoints at all outlets. Also I have windows vista business fully patches. I have no extra software's on my machine that is not-patched. i checked my laptop again with secunia's scanner. I have a software based firewall too (although it doesnt come into the picture much here). All unwnted ports and services are blocked. So how does it get in ? Is it my laptop or is it affecting traffic of the entire network ?

I checked logs of the endpoints at the outlet all filled with same trojan entry, we use SEP at all endpoints. These are not patched completely and have few software's that are *old*. I can understand them being infected.. But my question is how is my laptop getting broken into ?

Basically, it isn't..................your AV has detected the malware's attempted activity and blocked it.

The detection is for generic HTML files that attempt to redirect your browser. It exists on the host (server) not on your laptop (client).

Provided that you have not actually been redirected to a malicious site you should be perfectly OK. It is when you get to these sites that the bad guys try to download other malicious software to your machine.

Hey guys, thanks a lot for the replies.. i am sorry I couldnt reply sooner.. but I've been busy post the incident..

We have around 30 servers .. AD's, Web, SQL, AV and so on.. I secured all AD's and I'm sure ill have to move onto the web now.. I'm sure its the web server since it house the site's that are displayed once you log on..

Anyway.. if there are any pointers please pass them on.. i'm trying to secure windows 2000 servers here you see :|

I need help here guys. I still can't find the source of the infection.. I was in the same VLAN today (store) and there is a variant of the same Trojan that the browser was redirected too.

From the last time I've blocked the "drop-off" site and now Iíve to add one more to the list. I've patched, scanned and secured the AD's and WEB servers. There are yet lots to go though.. I'm the only one securing all this and I still donít have full rights (management issue - donít ask).. I am still not sure how the VLAN gets infected.. Out of so many VLAN's only few are infected with this.. But all of them log onto the same AD(s) and have the same 2 web servers throwing startup pages.. The fact that I have stopped access to these URL's take a toll on surfing in infected VLANs since the malware redirects them to the infected site and legitimate (user entered site) never loads..

I'm sorry but i'm stressed out fighting this alone with "limited" access.. I would really appreciate help here..